Friday April 22, 2011 2:38 pm

Researchers say police already use iPhone tracking data

A pair of mobile forensic researchers who independently identified a location tracking system on the iPhone 4 several months before it was publicized earlier this week say that law enforcement agencies are currently using data from a hidden iOS file called "consolidated.db" in criminal investigations.

Evidence from the location tracking database stored on iPhones "has been used in actual criminal investigations and yes, it's led to convictions," said Alex Levinson, a Rochester Institute of Technology researcher and technical lead for iOS forensics consultant Katana Forensics.

But Levinson and Christopher Vance, a Marshall University digital forensics specialist, also contend that Apple probably included the technology in its iOS operating system to deliver location-based services like iAds rather than to create dossiers on the whereabouts of iPhone users.

A great deal of buzz has surrounded a Wednesday O'Reilly Radar blog post by researchers Pete Warden and Alasdair Allan that highlighted a hidden file on iOS devices like the iPhone and iPad which includes latitude-longitude coordinates and a timestamp to track where such devices have been geographically and when.

But Warden and Allan apparently weren't the first to discover the file.

Vance told us Thursday that he came across the location tracking database shortly after running some forensics software on the iPhone 4 he purchased in the summer of 2010.

"I just happened to get an early release of a forensic product in beta and all of a sudden it pulled out this database," Vance said. He wrote about his discovery in a September 2010 blog post that erroneously stated that GPS data was being stored in the consolidated.db file.

Instead, the database collects location data on iOS devices by tracking connections to cell towers. Vance corrected his earlier post in a February update on his blog.

While he has gone back and forth over Apple's purpose in storing the location tracking data, Vance now says it's likely done to deliver the location-based services that Apple defended in a letter sent to Congress last year.

And the reason Apple uses cell tower connections rather than more precise location tracking data that could be delivered by a built-in GPS?

"If I had to guess, it's probably a matter of OS efficiency," Vance said. "The database is probably there to decrease the amount of time needed to generate GPS information for the location services or iAds built into the apps on iOS. Using assisted GPS is much faster and less of a strain on your battery life."

Vance, who is also a forensics consultant to the West Virginia State Police, said he has checked the consolidated.db file at the request of law enforcement officers but that so far no iPhone's location tracking database he has examined has produced a "smoking gun" that broke open an investigation.

"But it's been helpful," he added. "And that's not to say that we haven't found a 'smoking gun' in our forensics on iPhones or other phones, just not anything directly connected to the [location tracking] database."

The fact that the consolidated.db files have created such an uproar is a bit confusing to Vance and Levinson, who also discovered the database shortly after the iPhone's release in 2010.

Vance said all manner of data found on mobile devices like smartphones are already used as evidence in criminal investigations—much; of it more useful to law enforcement than the consolidated.db files on iPhones.

"These people are carrying around basically computers in their pockets. Analyzing an iPhone is pretty much the same as analyzing an [Apple Mac] OS X computer. You can use browser history, cache data, what you can determine from Google Maps, keyboard logs, call history, etc.," he said.

Levinson said law enforcement agencies that Katana Forensics has worked with have conducted all of their searches on iPhones in a legal manner, either getting warrants or permission from a device's owner to perform a search.

And singling out Apple would be a mistake, Levinson said.

"Third-party applications also use location tracking," he said. "Other OSes do it. From a security standpoint, the OS is not necessarily the biggest vulnerability. The third-party apps are. That's also true from a forensics standpoint. And if you're going to hold Apple accountable, you have to hold the third-party app developers accountable. And you have to hold Android and the other OSes accountable."

But do Google's Android and other mobile OSes like Symbian, WebOS, Windows Phone and the Blackberry OS include something similar to the location tracking and data storage done on iOS devices? Levinson wouldn't say, but mentioned that he is currently researching a number of non-iOS mobile devices and would be presenting his findings soon.

Levinson also said that in the past several months, Katana has collaborated with local, state, national and even international law enforcement agencies on consolidated.db forensics. He wouldn't name any such agencies or identify specific investigations where the iPhone's location tracking file had come into play, but said the number is large, though "not in the hundreds."

Law enforcement agencies including the FBI, Interpol and the New York Police Department had not responded to PCMag.com inquiries about their use of consolidated.db data in investigations as of Thursday afternoon.

Levinson and Vance are also somewhat miffed that Warden and Allan have received credit for "discovering" the iPhone's location tracking technology. Vance seemed more bemused than offended—ca;lling; the rush to lionize the two researchers "a bit of a letdown."

Levinson said he feels "a little bit professionally disrespected." He said he'd pointed out the existence of the file at forensics conferences and that it was even included in a book written by Katana Forensics managing director Sean Morrissey that was published last December.

"I don't want to accuse [Warden and Allan] of being malicious. But if I was going into a new field that was a bit uncharted, I'd feel obligated to learn more about what was going on," he said, contending that the researchers or O'Reilly Radar could have learned of his work in the area fairly easily before publishing a claim to their "discovery."

Will Apple remove location tracking in future versions of iOS? Levinson said there's "no technical reason why they'd have to do so," but said public relations concerns over what could become a cause célèbre for privacy advocates were a different matter.

Apple has not commented publicly on the existence of the location tracking database in its iOS devices.

This article, written by Damon Poeter, originally appeared on PCMag.com and is republished on Gear Live with the permission of Ziff Davis, Inc.